diff options
author | Steven Hardy <shardy@redhat.com> | 2013-09-02 16:32:40 +0100 |
---|---|---|
committer | Steven Hardy <shardy@redhat.com> | 2013-09-04 00:12:07 +0100 |
commit | e686699b00ee2ca190946261677d89641707e6c6 (patch) | |
tree | 4b97fa0d2968e82f67180ad04cd5072b6fc2cf92 /etc | |
parent | ff0122f83f13082b3a89f38fe2aa0b52c7e6d492 (diff) | |
download | heat-e686699b00ee2ca190946261677d89641707e6c6.tar.gz |
Migrate stored credentials to keystone trusts
Migrate the stored user_creds, which currently only supports
storing username/password credentials to use the keystone v3
API OS-TRUST extension, which allows explicit impersonation of
users calling heat (trustors) by the heat service user (the
trustee)
Note this feature is made optional via a new config option,
defaulted to off, and it requires the following patches to
keystoneclient (in 0.3.2 release) and keystone to work:
https://review.openstack.org/#/c/39899/
https://review.openstack.org/#/c/42456/
Also note that if the feature is enabled, by setting
deferred_auth_method=trusts in heat.conf, you must add
a keystone_authtoken section, which is also used by the
keystoneclient auth_token middleware.
blueprint heat-trusts
Change-Id: I288114d827481bc0a24eba4556400d98b1a44c09
Diffstat (limited to 'etc')
-rw-r--r-- | etc/heat/heat.conf.sample | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/etc/heat/heat.conf.sample b/etc/heat/heat.conf.sample index 90e608f5a..d8f238fd9 100644 --- a/etc/heat/heat.conf.sample +++ b/etc/heat/heat.conf.sample @@ -24,6 +24,13 @@ # The directory to search for environment files (string value) #environment_dir=/etc/heat/environment.d +# Select deferred auth method, stored password or trusts +# (string value) +#deferred_auth_method=password + +# Subset of trustor roles to be delegated to heat (list value) +#trusts_delegated_roles=heat_stack_owner + # Name of the engine node. This can be an opaque identifier.It # is not necessarily a hostname, FQDN, or IP address. (string # value) @@ -86,6 +93,17 @@ # +# Options defined in heat.openstack.common.db.sqlalchemy.session +# + +# the filename to use with sqlite (string value) +#sqlite_db=heat.sqlite + +# If true, use synchronous mode for sqlite (boolean value) +#sqlite_synchronous=true + + +# # Options defined in heat.openstack.common.eventlet_backdoor # @@ -460,6 +478,55 @@ #use_tpool=false +# +# Options defined in heat.openstack.common.db.sqlalchemy.session +# + +# The SQLAlchemy connection string used to connect to the +# database (string value) +#connection=sqlite:////heat/openstack/common/db/$sqlite_db + +# The SQLAlchemy connection string used to connect to the +# slave database (string value) +#slave_connection= + +# timeout before idle sql connections are reaped (integer +# value) +#idle_timeout=3600 + +# Minimum number of SQL connections to keep open in a pool +# (integer value) +#min_pool_size=1 + +# Maximum number of SQL connections to keep open in a pool +# (integer value) +#max_pool_size=<None> + +# maximum db connection retries during startup. (setting -1 +# implies an infinite retry count) (integer value) +#max_retries=10 + +# interval between retries of opening a sql connection +# (integer value) +#retry_interval=10 + +# If set, use this value for max_overflow with sqlalchemy +# (integer value) +#max_overflow=<None> + +# Verbosity of SQL debugging information. 0=None, +# 100=Everything (integer value) +#connection_debug=0 + +# Add python stack traces to SQL as comment strings (boolean +# value) +#connection_trace=false + +# If set, use this value for pool_timeout with sqlalchemy +# (integer value) +#pool_timeout=<None> + + [paste_deploy] # |